Automated deployment of Inception on a remote server using Ansible.
This project inventory is dynamic and designed to deploy on Linode
,
if you want to deploy on another cloud provider, or on on-premise servers,
you can skip all the linode-related dependencies and just create your own
inventory file.
Supported systems:
- Ubuntu.
The docker deployed services/utilities include:
- Nginx.
- Php-FPM.
- MariaDB.
- FTP.
- Redis.
- Adminer.
- PhpMyAdmin.
- (A static website main page).
Is recommended to take a look at the playbook to fully understand features and how to use them.
A user ansible
is created for future playbooks runs, and a user admin
is
created for servers administrators to use, since root
ssh login is prohibited.
python3
.ansible
.linode_api4
.passlib
community.general
collection foransible
.
sudo apt install python3
ansible
(passlib
is a dependency) and linode_api4
can be installed via pip
once python3
is installed:
python3 -m pip install --user ansible passlib linode_api4
This project uses the linode inventory community plugin,
so we need to install the community.general
collection.
Check if its installed by running:
ansible-galaxy collection list
If not in the list, install community.general
collection by running:
ansible-galaxy collection install community.general
If it's in the list but version is below 8.1.0
, upgrade it by running:
ansible-galaxy collection install community.general --upgrade
Collection is not included in the repo because it's heavy (26M aprox.).
This project uses /var/log/ansible
as log file, change it on ansible.cfg
or
create it along with an ansible
group (recommended):
sudo touch /var/log/ansible.log
sudo groupadd ansible
sudo chown root:ansible /var/log/ansible.log
sudo chmod 775 /var/log/ansible.log
sudo usermod "$USER" -aG ansible
Since the ./vars/vault.yml
is encrypted, for the sake of you knowing what should
be there, here's a list of required variables, that must be preset in the vault,
so you can create this file easily:
-
vault_admin_user_password
: password for theadmin
user. -
vault_ansible_user_authorized_key
: public key to add toansible
authorized keys. -
vault_admin_user_authorized_key
: public key to add toadmin
authorized keys. -
All the docker secrets, look in
./roles/docker_deploy/defaults/main.yml
for the variable names.
If you create additonal users, make sure to place those new passwords in the vault too!
Adjust the inventory to your needs, if deploying on Linode
add the ansible-cloud1
tag to the target machines, and export your API token:
export LINODE_API_TOKEN='your_token_here'
And run the playbook:
ansible-playbook --ask-vault-pass site.yml
A run_playbook.sh
script is also provided for convenience:
./run_playbook.sh
You can provide the Linode
token and vault password via environment, or you
can create a .env
following the provided .env.sample
, so you don't have to
export the token and vault password for every new shell session:
cp .env.sample .env
vim .env # Edit the values
As you may expect, by default, password is only set on user creation (update_password: on_create
).
If you want to update users password, explicitely specify update_passwords=true
,
to run a specific tasks for this (with update_password: always
):
./run_playbook.sh -e update_passwords=true
The reasons behind this decision is to avoid false
changed
reports and most important, so it doesn't mesh around with passwords if this script is executed in multiple machines (that should have different passwords for security).
UFW by default does not clean previous rules, if you want to force a reset of
the current rules, do it with reset_ufw=true
:
./run_playbook.sh -e reset_ufw=true
Docker compose by default does not restart if at least one container is running
on the compose project, you can force a restart with restart_compose=true
:
./run_playbook.sh -e restart_compose=true
You can always of course run the full ansible command instead of using the script since these flags are for ansible, and not for the script:
ansible-playbook --ask-vault-pass site.yml -e update_passwords=true
If you changed the ssh port or the default users array in the defaults,
make sure to change the remote user and port on ansible.cfg
,
by default it works with the ansible
user and the port 4242
.
If the ssh custom port is closed it will attempt connection with
root
or port 22, assuming ssh config is not yet changed.
If you get this error when parsing the linode inventory file:
[WARNING]: * Failed to parse /.../inventory.linode.yml with ansible_collections.community.general.plugins.inventory.linode plugin: __init__() got an unexpected keyword argument 'allowed_methods'
There's an incompatibility issue due to the allowed_methods
argument in the
urllib3.util.retry
module, which was added in urllib3
version 1.26.0
.
To resolve this issue, you need to upgrade urllib3
to a version 1.26.0
or higher:
python3 -m pip install --upgrade urllib3
And request
in case you get a warning about not supported urllib3
version:
python3 -m pip install --upgrade requests